socks5systemz | fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22

Analysis

max time kernel
143s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe
Size

7.5MB
MD5

42f5eb399ee94ad2bb7809e600abebf7
SHA1

3a2c7d6b63ce50367c9c27a08a164ac037663919
SHA256

fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22
SHA512

0e39437fb30e47817e4b86d77d83037f6962df69996cb0cb343714bd641705403a24850f2a4d9760bbd0c19cfd75fb9d4e4aa67612682b203429300152d61cfa
SSDEEP

196608:iCKQKmhnguWQkn9sl7pQ//XYenYQs9bOBKhOcq3RW:DmmVuQkn9sl7KX2QswBKhnyE

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1264-96-0x00000000028E0000-0x0000000002982000-memory.dmp	family_socks5systemz
behavioral1/memory/1264-99-0x00000000028E0000-0x0000000002982000-memory.dmp	family_socks5systemz
behavioral1/memory/1264-108-0x00000000028E0000-0x0000000002982000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Detects executables packed with VMProtect. 19 IoCs

resource	yara_rule
behavioral1/memory/2624-67-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2624-71-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2624-70-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-75-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-78-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-83-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-84-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-87-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-90-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-93-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-98-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-104-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-107-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-111-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-114-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-117-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-120-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-124-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1264-127-0x0000000000400000-0x00000000007C1000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Executes dropped EXE 3 IoCs

pid	Process
2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp
2624	etcherlite.exe
1264	etcherlite.exe

Loads dropped DLL 6 IoCs

pid	Process
2304	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe
2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp
2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp
2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp
2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp
2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp
2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2880	2304	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe	19
PID 2304 wrote to memory of 2880	2304	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe	19
PID 2304 wrote to memory of 2880	2304	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe	19
PID 2304 wrote to memory of 2880	2304	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe	19
PID 2304 wrote to memory of 2880	2304	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe	19
PID 2304 wrote to memory of 2880	2304	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe	19
PID 2304 wrote to memory of 2880	2304	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe	19
PID 2880 wrote to memory of 2624	2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp	27
PID 2880 wrote to memory of 2624	2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp	27
PID 2880 wrote to memory of 2624	2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp	27
PID 2880 wrote to memory of 2624	2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp	27
PID 2880 wrote to memory of 1264	2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp	30
PID 2880 wrote to memory of 1264	2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp	30
PID 2880 wrote to memory of 1264	2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp	30
PID 2880 wrote to memory of 1264	2880	fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp	30

C:\Users\Admin\AppData\Local\Temp\fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe
"C:\Users\Admin\AppData\Local\Temp\fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\is-IVCDT.tmp\fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IVCDT.tmp\fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp" /SL5="$40108,7652121,54272,C:\Users\Admin\AppData\Local\Temp\fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Etcher Lite\etcherlite.exe
    "C:\Users\Admin\AppData\Local\Etcher Lite\etcherlite.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Users\Admin\AppData\Local\Etcher Lite\etcherlite.exe
    "C:\Users\Admin\AppData\Local\Etcher Lite\etcherlite.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Etcher Lite\etcherlite.exe

Filesize
308KB

MD5
73c283efddd5d1d65fd6937dbc1f6b0a

SHA1
be1edb7e992d5e62cd0fbc6085d04f81bf4ee1f2

SHA256
029b7749efe0467a20db9ab3ccccf29d12fbafb29e55da17f2089f52fb22e63b

SHA512
068361ec6681b35c4058eb3ce9760128df452364fde23c20ec49ce0a85578682da28ab16ba9a98bbfccf6a2e5e99a1fd44f5f039b2a939a5922e49acc85ab49c

Download Submit
C:\Users\Admin\AppData\Local\Etcher Lite\etcherlite.exe

Filesize
298KB

MD5
f2395702d39d2a1922e10c0d3a24c93e

SHA1
04532c7410d0c2a5322640e8ab805ee00ef9dced

SHA256
b36d7ffa1c32f2cb995f4cd2b6ee876389030f420464fc4f6a1d74fc1c9999dc

SHA512
a60dd61fb3d1bb758377120e4e421fe35f953efc1798adbdab84ecc65e070fb83608287dd59f9a255ea3b8d07463de014792bcd6e0cd75dd4f2ce6c61e7e50a4

Download Submit
C:\Users\Admin\AppData\Local\Etcher Lite\etcherlite.exe

Filesize
6KB

MD5
741537f3b2939a7e58ce5dc86596facb

SHA1
244daab5017386ab47a1b072309f5fe1998bafa3

SHA256
20619795fc8e1e0466f1479321a46e87c4298cd3cc0a1e9c6cfbe25e2e81b9e4

SHA512
27cd1f89899e2cf38eec19d65fb7655165d5501b8f2b584049955f674e7f40cad16212ae664bd92103524f447efc732a835318ae998ddca438773d0a2f478828

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IVCDT.tmp\fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp

Filesize
294KB

MD5
0c83cffa59e938bf5f9906e166fb9a3d

SHA1
0d984deea0163d5203ab320eb75a4a7feb18cdba

SHA256
8098fa26824d210a1ebc7337ca600245a34c144886a3077cb20df0f12e923dd4

SHA512
e45ef8dee4a54bf53ff2776b635f4293a95dfcf60b8143b10b6c450e954e06e8fee06b0ce82c376b40a676dbdd63c15966b56e99a66852893354aede3dd90a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IVCDT.tmp\fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp

Filesize
596KB

MD5
660b59ce8cb0703f7eb38fa552ff093e

SHA1
0b5f12dbb6095822e5a0dab792d49e219bbdf4db

SHA256
2c8d54876113c676bd02c7084dc04d487dfd776966aa4675824e1510250011c6

SHA512
31387718f93c245bbf244bce1029915efcf80047812b7790721b61be9a95f405bc268202e76a113695106b10f8d825388c9f9d882d1e84c33424bcca3e05bdac

Download Submit
\Users\Admin\AppData\Local\Etcher Lite\etcherlite.exe

Filesize
399KB

MD5
4ebaf94dd1a949d6d7f5e763407cd31b

SHA1
4baea959d122faf5aa449934fb8dec918b3ac128

SHA256
bcd38dff6303c508b2884ecfb4db714f7c5fe61f386e9c6b36a29b0e7022a4d3

SHA512
619b42fdae84011925166e5f3512222c015bfb096ba70d72fcd7d9afa822717ca53ec6d853f45722915a72693a68049d879e3ee4e84b96b9bbfbbb5c5643b3c3

Download Submit
\Users\Admin\AppData\Local\Temp\is-561AF.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-561AF.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-561AF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-IVCDT.tmp\fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22.tmp

Filesize
619KB

MD5
b7452766d00ba65294aeaaa4d11569c5

SHA1
f867367a48fe749319bc51949515c2b8eb13de51

SHA256
722817883b7dfb418c625e2a574c2bf9574e0aa23629f1bbba8cb36bc2fd0d7e

SHA512
c62cd868ae1cdca0a811fc2c2bab1255792f78b97bf988389654c69080ba678967bee86a1dc18d4bb6a4ae981f61b889b4e5903d060d7425a632e8b2aab5a134

Download Submit
memory/1264-87-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-93-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-111-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-108-0x00000000028E0000-0x0000000002982000-memory.dmp

Filesize
648KB

Download
memory/1264-107-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-127-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-73-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-104-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-99-0x00000000028E0000-0x0000000002982000-memory.dmp

Filesize
648KB

Download
memory/1264-75-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-124-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-98-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-78-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-120-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-117-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-83-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-84-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-114-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-90-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1264-96-0x00000000028E0000-0x0000000002982000-memory.dmp

Filesize
648KB

Download
memory/2304-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2304-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2304-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2624-70-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2624-71-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2624-67-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2624-66-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2880-65-0x0000000003470000-0x0000000003831000-memory.dmp

Filesize
3.8MB

Download
memory/2880-80-0x0000000003470000-0x0000000003831000-memory.dmp

Filesize
3.8MB

Download
memory/2880-79-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2880-77-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2880-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download